[Apparmor-dev] AppArmor Development

[John Johansen]

John Johansen wrote:
> Jacob I. Torrey wrote:
>> John,
>>     It's good to hear that there is still progress being made. I guess I
>> can start on the user-land side of things, as I'm more comfortable
>> there, and hopefully move further down as I get more comfortable. I also
>> have heard the desire from a few users to make a directory context, so
>> that apparmor can restrict untrusted user's self compiled apps. For
>> example, if I have a server, and I give Jim access, who decides to go on
>> a rampage against my system, I would be able to define a default,
>> restrictive profile for /home/** or /tmp/**. Not sure if that's an
>> interesting idea or not, but it might be a nice feature.
>>     I look forward to reading more about how AppArmor is going to evolve!
>>
> 
> By directory context you mean allow specifying profile attachment based
> off of a regex correct?  So that if your profile name is /home/** it
> will attach to any any unconfined applications launched from within the
> /home/** directory.
> 
> This is an idea that has been bantered around for as long I as I can
> remember and has just never been implemented.  Basically it provides a
> way of specifying default profiles, and taken to it logical conclusion
> you would apply the most specific profile.  So you could have a profile
> list like
> 
>   /usr/bin/foo            #specific profile match first.
>   /usr/bin/**             #fall back profile for executables
>   /**                     #default profile
> 
> 
> The idea certainly has its uses and it could be one of the features that
> go into AA 2.4/3.0.
> 
> In general it hasn't been done yet because there have been more pressing
> issues to deal with.  AA2.3 made some steps towards providing for more
> generic profiles and this is the next logical step.
> 
I just wanted to add a little more to this explanation as to why this
feature has not been high priority.  Entering AppArmor confinement for a
unconfined user is pretty much voluntary.  Unless you provide default
profiles for every where a given user can write, the user can get around
 the system confinement by either copying executables or creating hardlinks.

That is why it is can be easier to just confine the user if you want to
limit what they can run.  And once you confine the user the rules in the
profile determine what can be run.

The main thrust of AppArmor 2.3 was actually about making it easier to
confine a user.  Better link rules, owner conditional rules, a more
generic profile and transition model, and the ability to set capabilities.

That isn't to say this feature isn't useful, it can be used to provide a
default profile for px transitions as well as attachment against
unconfined applications.